4 Feb
2009
4 Feb
'09
6:18 p.m.
On Wed, Feb 4, 2009 at 5:23 PM, Chris Johnson <cxjohnson@gmail.com> wrote:
From a security point of view, any time the web server process has write access to any directory or file, it makes me nervous. For this SQLite scheme to work, obviously the web server process will have to be able to create and update the file in which the SQLite database resides. This seems like it provides another possible vector for exploits. Tell me how we will protect against such attacks.
That's an excellent point. It has been chx' concern from the beginning. If you read http://drupal.org/node/367660, you will see that a whitelist of paths retrieved from the registry has been made just for that. Damien Tournoud